Overlay network: Separating networks for access points without using VLAN

In many cases, networks in a shared physical infrastructure are separated by using VLANs. However, this method assumes that the switches operated in the network are VLAN-capable and that these are configured for VLAN operations. Consequently, the administrator has to rollout the VLAN configuration for the whole network.

WLCs enable you to separate the networks while minimizing the use of VLANs. The APs use a CAPWAP data tunnel to direct the payload from the WLAN clients straight to the WLC, which then assigns the data to the corresponding VLANs. In this situation, VLAN configuration is only required for the WLC and a single, central switch. All of the other switches in this example work without a VLAN configuration.

Note: With this configuration, you reduce the VLAN to the core of the network structure (illustrated with a blue background). What's more, only 3 of the switch ports in use require a VLAN configuration.
Figure 1. Example application: Overlay network

The diagram shows a sample application with the following components:

The aim of the configuration: A WLAN client that associates with an SSID is to have access to its "own" server, regardless of which AP is being used and regardless of the segment in which the client is located.

Note: The following description assumes a working basic configuration of the WLC. The configuration of the VLAN switch is not part of this description.

Configuring the WLAN settings

  1. For each SSID, create an entry in the list of logical networks, each with a suitable name and the corresponding SSID. Connect the SSID to a WLC tunnel, for example the first SSID to "WLC-TUNNEL-1" and the second to "WLC-TUNNEL-2 '. Set the VLAN mode to 'tagged', set the VLAN ID '10' for the first logical network and the VLAN ID '20' for the second logical network. In LANconfig you find these settings under Configuration > WLAN Controller > Profiles > Logical WLAN networks (SSIDs).
  2. Create an entry in the list of physical WLAN parameters with the appropriate settings for your APs, such as the country 'Europe' with the channels 1, 6 and 11 in 802.11b/g/n and 802.11a/n in mixed mode. For this profile in the physical WLAN parameters, enable the option to turn on the VLAN module on the APs. Set the operating mode for the management VLAN in the APs to 'Untagged'. In LANconfig you find this setting under Configuration > WLAN Controller > Profiles > Physical WLAN parameters.
  3. Create a WLAN profile and give it a suitable name. Then assign the logical WLAN networks and the physical WLAN parameters created previously to this WLAN profile. In LANconfig you find this setting under Configuration > WLAN Controller > Profiles > WLAN profiles.
  4. For each managed AP, create an entry in the AP table with a suitable name and the associated MAC address. Assign the previously created WLAN profile to this AP. In LANconfig you find these settings under Configuration > WLAN Controller > AP config. > Access point table.

Configuring the interfaces on the WLC

  1. Assign a separate logical LAN interface, e.g. 'LAN-1', to each physical Ethernet port. Make sure that the other Ethernet ports are not assigned to the same LAN interface. In LANconfig you find these settings under Configuration > Interfaces > LAN > Ethernet ports.
  2. Assign the logical LAN interface 'LAN-1' and the WLC tunnels 'WLC-tunnel-1' and 'WLC-tunnel-2' to the bridge-group 'BRG-1'. Make sure that the other LAN ports are not assigned to the same bridge group. In LANconfig you find this setting under Configuration > Interfaces > LAN > Port table.
    Note: By default, the LAN interfaces and WLC tunnels do not belong to a bridge group. By assigning the LAN interface 'LAN-1' and the two WLC tunnels 'WLC-Tunnel-1' and 'WLC-Tunnel-2' to the bridge group 'BRG-1', the device transmits all data packets between LAN-1 and the WLC tunnels via the bridge.
  3. Activate the VLAN module of the WLC under Interfaces > VLAN and, under VLAN table, assign the LAN port you selected above (LAN 1) and also the corresponding WLC tunnel to the desired VLAN.
  4. Under Interfaces > VLAN > Port table, set the Tagging mode of the tunnel interface and the LAN interface, and set the corresponding port VLAN ID.

    Depending on how the switch is configured, set the Tagging mode of the LAN interface to 'Mixed' or 'Always'.

    In most cases the tunnel interfaces are operated with the mode 'Never', because packets here (from the WLAN) always arrive untagged and the WLC marks them with the port VLAN ID

    Important: When you activate the VLAN module, please observe that the ARF networks configured on the WLC must be given a VLAN ID. In the VLAN configuration outlined above, you need to set the VLAN ID for the IP network to '1' in order for the WLC to reach the network without a VLAN tag.
    Note:

    A similar configuration is achieved by making the access point set a VLAN tag for packets that are to be sent via the tunnel, in which case the VLAN module of the WLC is not used.

    However, this bridging of the various WLC tunnels with one another causes broadcasts to be redirected into all of the tunnels; with a certain number of tunnels/SSIDs and APs, this can lead to load problems on the network and on the WLC. The VLAN module configuration presented here prevents this.

  5. In addition you configure the IP settings for the networks that are separated on layer 2 under IPv4 > General > IP networks.
    Important: To prevent the device from connecting these networks via layer 3, a separation must also be configured on layer 3, for example by using a port tag or by means of the firewall.
  6. The WLC optionally acts as a DHCP server for the APs. To set this up, activate the DHCP server for the 'INTRANET'. In LANconfig you find these settings under IPv4 > DHCPv4 > DHCP networks.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo